General
-
Target
purchase order.exe
-
Size
887KB
-
Sample
201126-1ewgrapzb6
-
MD5
975187a07455d3cbf38ec878d893b490
-
SHA1
af8ddbf775cdb9dbd3776f717c192094202127be
-
SHA256
009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
-
SHA512
378768e3aa1a49e6dce7a83197c1eceb86111422a6886fbe9e3ba7df75ce2bdb0f0979620a8eb905153caf276b43a23dd19885ff487586b3069a515cceb15222
Static task
static1
Behavioral task
behavioral1
Sample
purchase order.exe
Resource
win7v20201028
Malware Config
Extracted
formbook
http://www.firedoom.com/sbmh/
edlasyarns.com
rettexo.com
friendlyksa.com
westhighlandwaytours.com
goudmarket.com
turkime.com
wellnysdirect.com
handydanny.net
ylccmakq.com
benefits-sherpa.com
sousolutions.net
lspcall.com
makgxoimisitzer.info
katrinarask.com
istanbulconsulter.net
mingjiaxuan.com
faculdadegraca.com
kikegbwebdesign.com
69ase.com
downrangedynamics.com
upllsj.com
punebites.com
cheekymonkeytech.com
hoy.viajes
ablehead.net
wordsubscribeeager.club
keystonefulfillment.com
malvasiahomes.com
direstraitslives.com
parking500.com
groom.land
humanschoolpodcast.com
plv8.online
modernspiritualbombshell.com
elegancerealestategroup.com
magentos6.com
xpressclouds.net
masihingat.com
exposingsecrets.com
beautybymscookie.com
skyauscompany.com
ak-sicherheitssysteme.net
meatslasvegas.com
blessedbeetherapy.com
nightanddayfreight.net
zizb4.com
pharmacymillwork.com
endlessgirls.online
bikingeswatini.com
xoxysei.site
tannhienonline.com
bloochy.com
ceo-ghost.com
amazonecho.sucks
klooskustoms.com
2xingyao.com
menopausebars.com
shdjtx.net
salon-massage-linit.com
macavent.com
purehempbotanicalsinfo.com
saintmaxnetwork.com
imagetown.group
occips.info
Targets
-
-
Target
purchase order.exe
-
Size
887KB
-
MD5
975187a07455d3cbf38ec878d893b490
-
SHA1
af8ddbf775cdb9dbd3776f717c192094202127be
-
SHA256
009d9a0f6fafa91b750271413fef5771a4ce5855a59c0e6c16c85eb7de08e52b
-
SHA512
378768e3aa1a49e6dce7a83197c1eceb86111422a6886fbe9e3ba7df75ce2bdb0f0979620a8eb905153caf276b43a23dd19885ff487586b3069a515cceb15222
-
Formbook Payload
-
Looks for VirtualBox Guest Additions in registry
-
Looks for VMWare Tools registry key
-
Checks BIOS information in registry
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext
-